Identifying Malware
May 13, 2015 11:30 PM   Subscribe

So I have some malware on my PC that appears to be trying to connect to all the domains in this list (or a very similar list)

https://www.google.com​/fusiontables​/DataSource?docid​=1QWqZE2I6Vt45N4JFC5​XrzUrfYkyIdT_NANNFmw

Runs about once or twice a day, slams through bunch of domains, here is an example

Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[A] weibo.com from
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[AAAA] weibo.com
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[A] tmall.com from
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[AAAA] tmall.com
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[A] vk.com from
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[AAAA] vk.com from
Wed May 13 17:10:19 2015 daemon.info dnsmasq[1338]: query[A] yahoo.co.jp Wed

etc etc etc

I've ran Windows Malicious Software Tool, Avast boot time check, Malware Antibytes, they did turn up a thing or two (thanks son) but are now reporting clear and yet I still see these domain hits. So what are my next steps in figuring out the culprit?
posted by zeoslap to Computers & Internet (7 answers total) 3 users marked this as a favorite
 
Honestly? You don't.

You back everything up on to an external drive, back up your drivers (use double driver), backup your licence keys (use key finder) and back up your windows tokens (use advanced tokens manager).

And then you do a full format and reinstall. If you're on windows 8 there is an option in windows to do this (someone else with windows 8 will be able to tell you) so you can skip backing up your tokens.

You could follow one of the numerous guides on the web (including one here on MF by Deezer) but there is absolutely no guarantee that you'll have nuked the virus. If you haven't, well, all that work you did has gone to waste.

Backup, format, reinstall. It sucks, it'll take half a day but at least you'll be certain that you're got rid of whatever you had.
posted by mr_silver at 12:51 AM on May 14, 2015 [4 favorites]


The "deezer" mr. Silver is referring to above is actually named Deezil - he is a mefi member who has a comprehensive guide to malware removal posted right in his profile and I can speak to both his computer knowledge and his willingness to help.
posted by EmpressCallipygos at 3:17 AM on May 14, 2015 [2 favorites]


Seconding wiping and reinstalling (and changing all of your important passwords) if you have malware.

To use a movie analogy, your computer is now in the Matrix. Your antivirus tools can ask the operating system if bad things exist, but because the operating system is subverted by the malware, it will reply back that nothing bad is there. The way to break free of the Matrix is to boot into a clean operating system, such as a Linux on CD/USB distribution, which is not controlled by the malware, and then clean up every booby trap left behind. If you miss one, you're back to square one again. I have cleaned up deep seated malware before and frankly I'd charge more than the cost of a new computer to do it again because it's tedious and annoying. It's faster and easier to just start from scratch in most cases.

What is generating that list of domains?

P.S. Buy the kid(s) a Chromebook. If you're convinced that your son caused the malware infections, you can greatly reduce the chances of your important accounts getting compromised if you isolate his browsing to a hardened and easy to blow away operating system.
posted by Candleman at 3:39 AM on May 14, 2015


deezil's profile, as mentioned by EmpressCallipygos above.
posted by hangashore at 5:02 AM on May 14, 2015 [2 favorites]


Response by poster: @Candleman I'm tracking all outbound DNS requests from my router, so I can see the domains that are being accessed and googling some of them together revealed the link I posted, so whatever is doing this is looks to be pinging a similar list and doing its thing.

Would really prefer not to wipe and reformat but I understand that is indeed the best option, I'll check out deezils guide and see what I can do first, I'd be reasonably confident I got it if I see the DNS hits stop.

Over the night I ran a full scan in safe mode with no networking and a quick glance this morning showed that it picked some things up, will check it out when I get home this evening.

Thanks all.
posted by zeoslap at 6:42 AM on May 14, 2015


Create another local user, log in as that user and see if these pings persist. If not, then blow away the profiles.

Another option would be to see if you have any system snapshots and revert to one of those.
posted by cjorgensen at 8:44 AM on May 14, 2015


The DNS queries certainly look suspicious, like an ad click fraud scheme, but some innocent stuff can cause some really weird looking DNS requests too. If they happen at a predictable time, you might be able to identify what's going on by using something like Sysmon. If it's poorly written malware, you also might be able to use something like Autoruns to track it down.

If you want to try to get rid of it, you can load a Linux Live CD/USB distribution that has Clam A/V, update its malware signatures, and see if it finds it.

The other main thing to do to try to narrow down what's causing the problem, you can generate a list of all of the files in the Windows directory (including subdirectories) while in Windows then boot into Linux and do the same thing. If there's files that Windows doesn't see but Linux does, those are ones to start examining to look for malware signatures.
posted by Candleman at 11:11 AM on May 14, 2015 [1 favorite]


« Older Typeface with these characteristics?   |   Can a will, or similar document, supersede a deed?... Newer »
This thread is closed to new comments.